@aifabrix/builder 2.6.3 → 2.8.0

package/lib/commands/datasource.js

@@ -0,0 +1,94 @@
+/**
+ * AI Fabrix Builder - Datasource Commands
+ *
+ * Handles datasource validation, listing, comparison, and deployment
+ * Commands: datasource validate, datasource list, datasource diff, datasource deploy
+ *
+ * @fileoverview Datasource management commands for AI Fabrix Builder
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { validateDatasourceFile } = require('../datasource-validate');
+const { listDatasources } = require('../datasource-list');
+const { compareDatasources } = require('../datasource-diff');
+const { deployDatasource } = require('../datasource-deploy');
+
+/**
+ * Setup datasource management commands
+ * @param {Command} program - Commander program instance
+ */
+function setupDatasourceCommands(program) {
+  const datasource = program
+    .command('datasource')
+    .description('Manage external data sources');
+
+  // Validate command
+  datasource
+    .command('validate <file>')
+    .description('Validate external datasource JSON file')
+    .action(async(file) => {
+      try {
+        const result = await validateDatasourceFile(file);
+        if (result.valid) {
+          logger.log(chalk.green(`\n✓ Datasource file is valid: ${file}`));
+        } else {
+          logger.log(chalk.red(`\n✗ Datasource file has errors: ${file}`));
+          result.errors.forEach(error => {
+            logger.log(chalk.red(`  • ${error}`));
+          });
+          process.exit(1);
+        }
+      } catch (error) {
+        logger.error(chalk.red('❌ Validation failed:'), error.message);
+        process.exit(1);
+      }
+    });
+
+  // List command
+  datasource
+    .command('list')
+    .description('List datasources from environment')
+    .requiredOption('-e, --environment <env>', 'Environment ID or key')
+    .action(async(options) => {
+      try {
+        await listDatasources(options);
+      } catch (error) {
+        logger.error(chalk.red('❌ Failed to list datasources:'), error.message);
+        process.exit(1);
+      }
+    });
+
+  // Diff command
+  datasource
+    .command('diff <file1> <file2>')
+    .description('Compare two datasource configuration files (for dataplane)')
+    .action(async(file1, file2) => {
+      try {
+        await compareDatasources(file1, file2);
+      } catch (error) {
+        logger.error(chalk.red('❌ Diff failed:'), error.message);
+        process.exit(1);
+      }
+    });
+
+  // Deploy command
+  datasource
+    .command('deploy <myapp> <file>')
+    .description('Deploy datasource to dataplane')
+    .requiredOption('--controller <url>', 'Controller URL')
+    .requiredOption('-e, --environment <env>', 'Environment (miso, dev, tst, pro)')
+    .action(async(myapp, file, options) => {
+      try {
+        await deployDatasource(myapp, file, options);
+      } catch (error) {
+        logger.error(chalk.red('❌ Deployment failed:'), error.message);
+        process.exit(1);
+      }
+    });
+}
+
+module.exports = { setupDatasourceCommands };
+

package/lib/commands/login.js

@@ -302,20 +302,51 @@ async function pollAndSaveDeviceCodeToken(controllerUrl, deviceCode, interval, e
   }
 }
 
+/**
+ * Build scope string from options
+ * @param {boolean} [offline] - Whether to request offline_access
+ * @param {string} [customScope] - Custom scope string
+ * @returns {string} Scope string
+ */
+function buildScope(offline, customScope) {
+  const defaultScope = 'openid profile email';
+
+  if (customScope) {
+    // If custom scope provided, use it and optionally add offline_access
+    if (offline && !customScope.includes('offline_access')) {
+      return `${customScope} offline_access`;
+    }
+    return customScope;
+  }
+
+  // Default scope with optional offline_access
+  if (offline) {
+    return `${defaultScope} offline_access`;
+  }
+
+  return defaultScope;
+}
+
 /**
  * Handle device code flow login
  * @async
  * @param {string} controllerUrl - Controller URL
  * @param {string} [environment] - Environment key from options
+ * @param {boolean} [offline] - Whether to request offline_access scope
+ * @param {string} [scope] - Custom scope string
  * @returns {Promise<{token: string, environment: string}>} Token and environment
  */
-async function handleDeviceCodeLogin(controllerUrl, environment) {
+async function handleDeviceCodeLogin(controllerUrl, environment, offline, scope) {
   const envKey = await getEnvironmentKey(environment);
+  const requestScope = buildScope(offline, scope);
 
   logger.log(chalk.blue('\n📱 Initiating device code flow...\n'));
+  if (offline) {
+    logger.log(chalk.gray(`Requesting offline token (scope: ${requestScope})\n`));
+  }
 
   try {
-    const deviceCodeResponse = await initiateDeviceCodeFlow(controllerUrl, envKey);
+    const deviceCodeResponse = await initiateDeviceCodeFlow(controllerUrl, envKey, requestScope);
 
     displayDeviceCodeInfo(deviceCodeResponse.user_code, deviceCodeResponse.verification_uri, logger, chalk);
 
@@ -369,6 +400,12 @@ async function handleLogin(options) {
   let token;
   let expiresAt;
 
+  // Validate scope options - only applicable to device flow
+  if (method === 'credentials' && (options.offline || options.scope)) {
+    logger.log(chalk.yellow('⚠️  Warning: --offline and --scope options are only available for device flow'));
+    logger.log(chalk.gray('   These options will be ignored for credentials method\n'));
+  }
+
   if (method === 'credentials') {
     if (!options.app) {
       logger.error(chalk.red('❌ --app is required for credentials login method'));
@@ -379,7 +416,7 @@ async function handleLogin(options) {
     expiresAt = loginResult.expiresAt;
     await saveCredentialsLoginConfig(controllerUrl, token, expiresAt, environment, options.app);
   } else if (method === 'device') {
-    const result = await handleDeviceCodeLogin(controllerUrl, options.environment);
+    const result = await handleDeviceCodeLogin(controllerUrl, options.environment, options.offline, options.scope);
     token = result.token;
     environment = result.environment;
     return; // Early return for device flow (already saved config)

package/lib/config.js

@@ -12,6 +12,7 @@ const fs = require('fs').promises;
 const path = require('path');
 const yaml = require('js-yaml');
 const os = require('os');
+const { encryptToken, decryptToken, isTokenEncrypted } = require('./utils/token-encryption');
 // Avoid importing paths here to prevent circular dependency.
 // Config location is always under OS home at ~/.aifabrix/config.yaml
 
@@ -26,11 +27,6 @@ const RUNTIME_CONFIG_FILE = path.join(RUNTIME_CONFIG_DIR, 'config.yaml');
 // Cache for developer ID - loaded when getConfig() is first called
 let cachedDeveloperId = null;
 
-/**
- * Get stored configuration
- * Loads developer ID and caches it as a property for easy access
- * @returns {Promise<Object>} Configuration object with new structure
- */
 async function getConfig() {
   try {
     const configContent = await fs.readFile(RUNTIME_CONFIG_FILE, 'utf8');
@@ -156,61 +152,37 @@ async function getDeveloperId() {
  */
 async function setDeveloperId(developerId) {
   const DEV_ID_DIGITS_REGEX = /^[0-9]+$/;
+  const errorMsg = 'Developer ID must be a non-negative digit string or number (0 = default infra, > 0 = developer-specific)';
   let devIdString;
   if (typeof developerId === 'number') {
-    if (!Number.isFinite(developerId) || developerId < 0) {
-      throw new Error('Developer ID must be a non-negative digit string or number (0 = default infra, > 0 = developer-specific)');
-    }
+    if (!Number.isFinite(developerId) || developerId < 0) throw new Error(errorMsg);
     devIdString = String(developerId);
   } else if (typeof developerId === 'string') {
-    if (!DEV_ID_DIGITS_REGEX.test(developerId)) {
-      throw new Error('Developer ID must be a non-negative digit string or number (0 = default infra, > 0 = developer-specific)');
-    }
+    if (!DEV_ID_DIGITS_REGEX.test(developerId)) throw new Error(errorMsg);
     devIdString = developerId;
   } else {
-    throw new Error('Developer ID must be a non-negative digit string or number (0 = default infra, > 0 = developer-specific)');
+    throw new Error(errorMsg);
   }
-  // Clear cache first to ensure we get fresh data from file
   cachedDeveloperId = null;
-  // Read file directly to avoid any caching issues
   const config = await getConfig();
-  // Update developer ID
   config['developer-id'] = devIdString;
-  // Update cache before saving
   cachedDeveloperId = devIdString;
-  // Save the entire config object to ensure all fields are preserved
   await saveConfig(config);
-  // Verify the file was saved correctly by reading it back
-  // This ensures the file system has written the data
-  // Add a small delay to ensure file system has flushed the write
   await new Promise(resolve => setTimeout(resolve, 100));
-  // Read file again with fresh file handle to avoid OS caching
   const savedContent = await fs.readFile(RUNTIME_CONFIG_FILE, 'utf8');
   const savedConfig = yaml.load(savedContent);
-  // YAML may parse numbers as numbers, so convert to string for comparison
   const savedDevIdString = String(savedConfig['developer-id']);
   if (savedDevIdString !== devIdString) {
     throw new Error(`Failed to save developer ID: expected ${devIdString}, got ${savedDevIdString}. File content: ${savedContent.substring(0, 200)}`);
   }
-  // Clear the cache to force reload from file on next getDeveloperId() call
-  // This ensures we get the value that was actually saved to disk
   cachedDeveloperId = null;
 }
 
-/**
- * Get current environment from root-level config
- * @returns {Promise<string>} Current environment (defaults to 'dev')
- */
 async function getCurrentEnvironment() {
   const config = await getConfig();
   return config.environment || 'dev';
 }
 
-/**
- * Set current environment in root-level config
- * @param {string} environment - Environment to set (e.g., 'miso', 'dev', 'tst', 'pro')
- * @returns {Promise<void>}
- */
 async function setCurrentEnvironment(environment) {
   if (!environment || typeof environment !== 'string') {
     throw new Error('Environment must be a non-empty string');
@@ -220,31 +192,45 @@ async function setCurrentEnvironment(environment) {
   await saveConfig(config);
 }
 
-/**
- * Check if token is expired
- * @param {string} expiresAt - ISO timestamp string
- * @returns {boolean} True if token is expired
- */
 function isTokenExpired(expiresAt) {
   if (!expiresAt) return true;
   const expirationTime = new Date(expiresAt).getTime();
   const now = Date.now();
-  return now >= (expirationTime - 5 * 60 * 1000); // 5 minute buffer
+  return now >= (expirationTime - 5 * 60 * 1000);
 }
 
-/**
- * Check if token should be refreshed proactively (within 15 minutes of expiry)
- * Helps keep Keycloak sessions alive by refreshing before SSO Session Idle timeout (30 minutes)
- * @param {string} expiresAt - ISO timestamp string
- * @returns {boolean} True if token should be refreshed proactively
- */
 function shouldRefreshToken(expiresAt) {
   if (!expiresAt) return true;
   const expirationTime = new Date(expiresAt).getTime();
   const now = Date.now();
-  return now >= (expirationTime - 15 * 60 * 1000); // 15 minutes buffer
+  return now >= (expirationTime - 15 * 60 * 1000);
+}
+async function encryptTokenValue(value) {
+  if (!value || typeof value !== 'string') return value;
+  try {
+    const encryptionKey = await getSecretsEncryptionKey();
+    if (!encryptionKey) return value;
+    if (isTokenEncrypted(value)) return value;
+    const encrypted = encryptToken(value, encryptionKey);
+    // Ensure we never return undefined for valid inputs
+    return encrypted !== undefined && encrypted !== null ? encrypted : value;
+  } catch (error) {
+    return value;
+  }
+}
+async function decryptTokenValue(value) {
+  if (!value || typeof value !== 'string') return value;
+  try {
+    const encryptionKey = await getSecretsEncryptionKey();
+    if (!encryptionKey) return value;
+    if (!isTokenEncrypted(value)) return value;
+    const decrypted = decryptToken(value, encryptionKey);
+    // Ensure we never return undefined for valid inputs
+    return decrypted !== undefined && decrypted !== null ? decrypted : value;
+  } catch (error) {
+    return value;
+  }
 }
-
 /**
  * Get device token for controller
  * @param {string} controllerUrl - Controller URL
@@ -254,10 +240,37 @@ async function getDeviceToken(controllerUrl) {
   const config = await getConfig();
   if (!config.device || !config.device[controllerUrl]) return null;
   const deviceToken = config.device[controllerUrl];
+
+  // Migration: If tokens are plain text and encryption key exists, encrypt them first
+  const encryptionKey = await getSecretsEncryptionKey();
+  if (encryptionKey) {
+    let needsSave = false;
+
+    if (deviceToken.token && !isTokenEncrypted(deviceToken.token)) {
+      // Token is plain text, encrypt it
+      deviceToken.token = await encryptTokenValue(deviceToken.token);
+      needsSave = true;
+    }
+
+    if (deviceToken.refreshToken && !isTokenEncrypted(deviceToken.refreshToken)) {
+      // Refresh token is plain text, encrypt it
+      deviceToken.refreshToken = await encryptTokenValue(deviceToken.refreshToken);
+      needsSave = true;
+    }
+
+    if (needsSave) {
+      // Save encrypted tokens back to config
+      await saveConfig(config);
+    }
+  }
+  // Decrypt tokens if encrypted (for return value)
+  const token = deviceToken.token ? await decryptTokenValue(deviceToken.token) : undefined;
+  const refreshToken = deviceToken.refreshToken ? await decryptTokenValue(deviceToken.refreshToken) : null;
+
   return {
     controller: controllerUrl,
-    token: deviceToken.token,
-    refreshToken: deviceToken.refreshToken,
+    token: token,
+    refreshToken: refreshToken,
     expiresAt: deviceToken.expiresAt
   };
 }
@@ -272,7 +285,26 @@ async function getClientToken(environment, appName) {
   const config = await getConfig();
   if (!config.environments || !config.environments[environment]) return null;
   if (!config.environments[environment].clients || !config.environments[environment].clients[appName]) return null;
-  return config.environments[environment].clients[appName];
+
+  const clientToken = config.environments[environment].clients[appName];
+
+  // Migration: If token is plain text and encryption key exists, encrypt it first
+  const encryptionKey = await getSecretsEncryptionKey();
+  if (encryptionKey && clientToken.token && !isTokenEncrypted(clientToken.token)) {
+    // Token is plain text, encrypt it
+    clientToken.token = await encryptTokenValue(clientToken.token);
+    // Save encrypted token back to config
+    await saveConfig(config);
+  }
+
+  // Decrypt token if encrypted (for return value)
+  const token = await decryptTokenValue(clientToken.token);
+
+  return {
+    controller: clientToken.controller,
+    token: token,
+    expiresAt: clientToken.expiresAt
+  };
 }
 
 /**
@@ -286,7 +318,16 @@ async function getClientToken(environment, appName) {
 async function saveDeviceToken(controllerUrl, token, refreshToken, expiresAt) {
   const config = await getConfig();
   if (!config.device) config.device = {};
-  config.device[controllerUrl] = { token, refreshToken, expiresAt };
+
+  // Encrypt tokens before saving
+  const encryptedToken = await encryptTokenValue(token);
+  const encryptedRefreshToken = refreshToken ? await encryptTokenValue(refreshToken) : null;
+
+  config.device[controllerUrl] = {
+    token: encryptedToken,
+    refreshToken: encryptedRefreshToken,
+    expiresAt
+  };
   await saveConfig(config);
 }
 
@@ -304,7 +345,15 @@ async function saveClientToken(environment, appName, controllerUrl, token, expir
   if (!config.environments) config.environments = {};
   if (!config.environments[environment]) config.environments[environment] = { clients: {} };
   if (!config.environments[environment].clients) config.environments[environment].clients = {};
-  config.environments[environment].clients[appName] = { controller: controllerUrl, token, expiresAt };
+
+  // Encrypt token before saving
+  const encryptedToken = await encryptTokenValue(token);
+
+  config.environments[environment].clients[appName] = {
+    controller: controllerUrl,
+    token: encryptedToken,
+    expiresAt
+  };
   await saveConfig(config);
 }
 
@@ -349,100 +398,56 @@ async function setSecretsEncryptionKey(key) {
   await saveConfig(config);
 }
 
-/**
- * Get general secrets path from configuration
- * Returns aifabrix-secrets path from config.yaml if configured
- * @returns {Promise<string|null>} Secrets path or null if not set
- */
 async function getSecretsPath() {
   const config = await getConfig();
-  // Backward compatibility: prefer new key, fallback to legacy
   return config['aifabrix-secrets'] || config['secrets-path'] || null;
 }
 
-/**
- * Set general secrets path in configuration
- * @param {string} secretsPath - Path to general secrets file
- * @returns {Promise<void>}
- */
 async function setSecretsPath(secretsPath) {
   if (!secretsPath || typeof secretsPath !== 'string') {
     throw new Error('Secrets path is required and must be a string');
   }
-
   const config = await getConfig();
-  // Store under new canonical key
   config['aifabrix-secrets'] = secretsPath;
   await saveConfig(config);
 }
 
-/**
- * Get aifabrix-home override from configuration
- * @returns {Promise<string|null>} Home override path or null if not set
- */
-async function getAifabrixHomeOverride() {
+async function getPathConfig(key) {
   const config = await getConfig();
-  return config['aifabrix-home'] || null;
+  return config[key] || null;
 }
 
-/**
- * Set aifabrix-home override in configuration
- * @param {string} homePath - Base directory path for AI Fabrix files
- * @returns {Promise<void>}
- */
-async function setAifabrixHomeOverride(homePath) {
-  if (!homePath || typeof homePath !== 'string') {
-    throw new Error('Home path is required and must be a string');
+async function setPathConfig(key, value, errorMsg) {
+  if (!value || typeof value !== 'string') {
+    throw new Error(errorMsg);
   }
   const config = await getConfig();
-  config['aifabrix-home'] = homePath;
+  config[key] = value;
   await saveConfig(config);
 }
 
-/**
- * Get aifabrix-secrets path from configuration (canonical)
- * @returns {Promise<string|null>} Secrets path or null if not set
- */
+async function getAifabrixHomeOverride() {
+  return getPathConfig('aifabrix-home');
+}
+
+async function setAifabrixHomeOverride(homePath) {
+  await setPathConfig('aifabrix-home', homePath, 'Home path is required and must be a string');
+}
+
 async function getAifabrixSecretsPath() {
-  const config = await getConfig();
-  return config['aifabrix-secrets'] || null;
+  return getPathConfig('aifabrix-secrets');
 }
 
-/**
- * Set aifabrix-secrets path in configuration (canonical)
- * @param {string} secretsPath - Path to default secrets file
- * @returns {Promise<void>}
- */
 async function setAifabrixSecretsPath(secretsPath) {
-  if (!secretsPath || typeof secretsPath !== 'string') {
-    throw new Error('Secrets path is required and must be a string');
-  }
-  const config = await getConfig();
-  config['aifabrix-secrets'] = secretsPath;
-  await saveConfig(config);
+  await setPathConfig('aifabrix-secrets', secretsPath, 'Secrets path is required and must be a string');
 }
 
-/**
- * Get aifabrix-env-config path from configuration
- * @returns {Promise<string|null>} Env config path or null if not set
- */
 async function getAifabrixEnvConfigPath() {
-  const config = await getConfig();
-  return config['aifabrix-env-config'] || null;
+  return getPathConfig('aifabrix-env-config');
 }
 
-/**
- * Set aifabrix-env-config path in configuration
- * @param {string} envConfigPath - Path to user env-config file
- * @returns {Promise<void>}
- */
 async function setAifabrixEnvConfigPath(envConfigPath) {
-  if (!envConfigPath || typeof envConfigPath !== 'string') {
-    throw new Error('Env config path is required and must be a string');
-  }
-  const config = await getConfig();
-  config['aifabrix-env-config'] = envConfigPath;
-  await saveConfig(config);
+  await setPathConfig('aifabrix-env-config', envConfigPath, 'Env config path is required and must be a string');
 }
 
 // Create exports object
@@ -461,6 +466,8 @@ const exportsObj = {
   getClientToken,
   saveDeviceToken,
   saveClientToken,
+  encryptTokenValue,
+  decryptTokenValue,
   getSecretsEncryptionKey,
   setSecretsEncryptionKey,
   getSecretsPath,